certificate auto-generation

dCache · Aug 15, 2023 · bcce823 · bcce823
1 parent fb22653
commit bcce823
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 14 deletions.
diff --git a/templates/cert-pvc.yaml b/templates/cert-pvc.yaml
@@ -0,0 +1,25 @@
+{{- range .Values.dcache.pools }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ $.Release.Name }}-pool-{{ . }}-certs-store
+spec:
+  resources:
+    requests:
+      storage: 1Mi
+  accessModes:
+    - ReadWriteOnce
+---
+{{ end }}
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ $.Release.Name }}-door-certs-store
+spec:
+  resources:
+    requests:
+      storage: 1Mi
+  accessModes:
+    - ReadWriteOnce
+
diff --git a/templates/configmap.yaml b/templates/configmap.yaml
@@ -40,11 +40,20 @@ data:
     [{{ $.Release.Name }}-door-svc/httpd]
 
     [{{ $.Release.Name }}-door-svc/webdav]
+    webdav.cell.name=webdav-plain
     webdav.net.port=8080
     webdav.authz.anonymous-operations=FULL
     webdav.redirect.on-write=false
     webdav.redirect.on-read=true
 
+    [{{ $.Release.Name }}-door-svc/webdav]
+    webdav.cell.name=webdav-tls
+    webdav.net.port=8083
+    webdav.authn.protocol=https
+    webdav.authz.anonymous-operations=READONLY
+    webdav.redirect.on-write=false
+    webdav.redirect.on-read=true
+
     [{{ $.Release.Name }}-door-svc/frontend]
     frontend.authn.protocol=http
     frontend.authz.anonymous-operations=FULL
@@ -68,6 +77,9 @@ data:
     pool.mover.xrootd.port.max={{ $.Values.mover.xrootd }}
     pool.mover.http.port.min={{ $.Values.mover.http }}
     pool.mover.http.port.max={{ $.Values.mover.http }}
+    pool.mover.https.port.min={{ $.Values.mover.https }}
+    pool.mover.https.port.max={{ $.Values.mover.https }}
+
 
 {{- end }}
 
@@ -85,8 +97,10 @@ data:
     dcache.enable.kafka = true
     dcache.layout=dcache-k8s
     dcache.authn.vomsdir=/mnt
-    webdav.redirect.allow-https=false
-    pool.enable.encrypted-transfers=false
+    #webdav.redirect.allow-https=false
+    #pool.enable.encrypted-transfers=false
+    dcache.authn.hostcert.key=/opt/dcache/etc/certs/hostkey.pem
+    dcache.authn.hostcert.cert=/opt/dcache/etc/certs/hostcert.pem
 
   00-init.sh: |-
     export JAVA=/usr/bin/java

diff --git a/templates/door-svc.yaml b/templates/door-svc.yaml
@@ -17,6 +17,9 @@ spec:
     - name: webdav-door
       port: {{ $.Values.door.ports.webdav }}
       targetPort: 8080
+    - name: webdavs-door
+      port: {{ $.Values.door.ports.webdavs }}
+      targetPort: 8083
     - name: cell-tunnel
       port: {{ $.Values.cell.tunnel }}
       targetPort: 11111   
diff --git a/templates/door.yaml b/templates/door.yaml
@@ -18,9 +18,6 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command: ["/run.sh", "{{ $.Release.Name }}-door-svc" ]
-        env:
-          - name: AUTOCA_URL
-            value: https://ci.dcache.org/ca
         readinessProbe:
           tcpSocket:
             port: 2049
@@ -48,7 +45,26 @@ spec:
           mountPath: /opt/dcache/etc/exports
           subPath: exports
           readOnly: true
-      volumes:      
+        - name: certs
+          mountPath: /opt/dcache/etc/certs
+          readOnly: true
+      initContainers:
+        - securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          name: init-host-certs
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          env:
+            - name: AUTOCA_URL
+              value: https://ci.dcache.org/ca
+          command: ['sh', '-c', "curl --silent https://raw.githubusercontent.com/kofemann/autoca/v1.0-py3/pyclient/autoca-client -o /tmp/autoca-client; chmod a+x /tmp/autoca-client; cd /opt/dcache/var/tmp/; /tmp/autoca-client -n ${AUTOCA_URL} {{ $.Release.Name }}-door-svc; chown dcache:dcache *.pem"]
+          volumeMounts:
+            - mountPath: /opt/dcache/var/tmp/
+              name: certs
+      volumes:
+      - name: certs
+        persistentVolumeClaim:
+          claimName: {{ $.Release.Name }}-door-certs-store
       - name: dcache-config
         configMap:
           name: {{ $.Release.Name }}-configmap

diff --git a/templates/pool-svc.yaml b/templates/pool-svc.yaml
@@ -19,5 +19,8 @@ spec:
     - name: http-mover
       port: {{ $.Values.mover.http }}
       targetPort: {{ $.Values.mover.http }}
+    - name: https-mover
+      port: {{ $.Values.mover.https }}
+      targetPort: {{ $.Values.mover.https }}
 ---
 {{- end }}
diff --git a/templates/pool.yaml b/templates/pool.yaml
@@ -1,4 +1,4 @@
-{{- range .Values.dcache.pools }} 
+{{- range .Values.dcache.pools }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -19,9 +19,6 @@ spec:
         image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}"
         imagePullPolicy: {{ $.Values.image.pullPolicy }}
         command: ["/run.sh", "{{ $.Release.Name }}-pool-{{ . }}-svc"]
-        env:
-          - name: AUTOCA_URL
-            value: https://ci.dcache.org/ca
         volumeMounts:
         - name: dcache-config
           mountPath: /opt/dcache/etc/dcache.conf
@@ -31,11 +28,29 @@ spec:
           mountPath: /opt/dcache/etc/layouts/dcache-k8s.conf
           subPath: dcache.conf
           readOnly: true
+        - name: certs-store-{{ . }}
+          mountPath: /opt/dcache/etc/certs
+          readOnly: true
       initContainers:
-      - name: wait-for-core
-        image: busybox:1.28
-        command: ['sh', '-c', "until nc -z -v  {{ $.Release.Name }}-door-svc.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local {{ $.Values.cell.tunnel }}; do echo waiting for core to start; sleep 2; done"]
+        - securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          name: init-host-certs
+          image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}"
+          env:
+            - name: AUTOCA_URL
+              value: https://ci.dcache.org/ca
+          command: ['sh', '-c', "curl --silent https://raw.githubusercontent.com/kofemann/autoca/v1.0-py3/pyclient/autoca-client -o /tmp/autoca-client; chmod a+x /tmp/autoca-client; cd /opt/dcache/var/tmp/; /tmp/autoca-client -n ${AUTOCA_URL} {{ $.Release.Name }}-pool-{{ . }}-svc; chown dcache:dcache *.pem"]
+          volumeMounts:
+            - mountPath: /opt/dcache/var/tmp/
+              name: certs-store-{{ . }}
+        - name: wait-for-core
+          image: busybox:1.28
+          command: ['sh', '-c', "until nc -z -v  {{ $.Release.Name }}-door-svc.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local {{ $.Values.cell.tunnel }}; do echo waiting for core to start; sleep 2; done"]
       volumes:
+      - name: certs-store-{{ . }}
+        persistentVolumeClaim:
+          claimName: {{ $.Release.Name }}-pool-{{ . }}-certs-store
       - name: dcache-config
         configMap:
           name: {{ $.Release.Name }}-configmap

diff --git a/values.yaml b/values.yaml
@@ -23,8 +23,10 @@ door:
     nfs: 2049
     xrootd: 1094
     webdav: 8080
+    webdavs: 8083
 
 mover:
   nfs: 32049
   xrootd: 31094
-  http: 38080
+  http: 38080
+  https: 38083